Human and Computer Exploitation

[Solution] Mr-Robot: 1 Vulnhub

Lets start the VM and scan it with nmap . (bridged adapter because I had problems with host only)

nmap -p- 192.168.1.67 -sV

We see that there is an open http port. Lets navigate to the webpage.
Having seen the l33t homepage its time to solve the challenge.

Flag 1

Generating a 404 error we can see that the website run a wordpress installation .
Lets fire up wpscan to find something interesting . But… nothing ! A version without exploits and an installation with no plugins

What about robots.txt ? W00t w00t

We found one of the three flags + a dictionary. Bruteforcing time !!!

Lets enumerate the usernames with the old technique /?author=1 Nothing again .
What about the dictionary ? Also if you see the login page you can see that there is an indication if th username is incorrect + there are no brutefoce tokens ! Only default values.

I created a python script to help me find the valid usernames. I found the usename Elliot.

Now its time to find the password. We will use the wpscan for this reason . Running we can see that it will take hours to conclude to a result . Maybe the given wordlist hides some tricks inside it . Lets use python again to erase any duplicate passwds . From 850000 passwds we now have 12000 COOL! Fire up wpscan for passwd cracking .

Log in and yes we are admin so we can manipulate php code . Upload a reverse shell (I prefer metasploit but a simple nc would 101% do the job)

Flag 2

Now inside the system list the /etc/passwd to see the users. Going to the /home/robot there are two files , an md5 pass nad the flag. Decrypting the flag (google it) we must somehow cat the flag file (permission 400)

Lets switch to /bin/sh shell with python oneliner.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

Executing :

su robot

in order to switch to the robot user instead of daemon.
Now we can cat the flag .

Flag 3

With robot user we still do not have access to the /root directory . That has to be the place where the third flag is stored .

There is nmap installed with admin privs and runnable to us. Lets see if we can run os commands with it.

After doing some research there is a command in nmap that turns nmap to interactive mode and from there we can run os commands with ! (many interactive programs do this ex.gdb).

/usr/local/bin/nmap –interactive

So we have access to the /root directory . Listing its contents and then moving the file to /tmp gives us the third flag !

I really struggled with the secons flag because there was an error with the shell of the robot user . I was trying to cat with something like sudo -u robot and I didnt think of just switcing user with su so it took me some time to figure it out …